Return-Path: X-Original-To: apmail-httpd-bugs-archive@www.apache.org Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BB77810C97 for ; Tue, 10 Feb 2015 13:47:16 +0000 (UTC) Received: (qmail 11761 invoked by uid 500); 10 Feb 2015 13:47:04 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 11711 invoked by uid 500); 10 Feb 2015 13:47:04 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 11702 invoked by uid 99); 10 Feb 2015 13:47:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Feb 2015 13:47:04 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.115] (HELO eir.zones.apache.org) (140.211.11.115) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 10 Feb 2015 13:47:02 +0000 Received: by eir.zones.apache.org (Postfix, from userid 80) id 97796231FC; Tue, 10 Feb 2015 13:45:42 +0000 (UTC) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: [Bug 48388] mod proxy disabling workers after a single error Date: Tue, 10 Feb 2015 13:45:42 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_proxy X-Bugzilla-Version: 2.2.14 X-Bugzilla-Keywords: FixedInTrunk X-Bugzilla-Severity: major X-Bugzilla-Who: metatechbe@gmail.com X-Bugzilla-Status: RESOLVED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=48388 --- Comment #17 from metatechbe@gmail.com --- Here is more information regarding our problem. It is not a Solaris 11 bug but a Solaris 11 security hardening. In Solaris 10, the ougoing TCP ports were chosen sequentially. In Solaris 11, probably to implement RFC 6056 "Recommendations for Transport-Protocol Port Randomization", TCP ports are randomly chosen. But the randomization does not guarantee that the port is not reused within 4 minutes (2 x the TCP Maximum Segment Lifetime, specified in RFC 1122) The problem is occurring when the server-side of the TCP connection is closing the connection first, for instance when the HTTP Keep-Alive is disabled with the HTTP header "Connection: closed". In this case, the TCP connection stays in the TIME_WAIT state for a short period on the server-side, but the TCP connection is immediately CLOSED on the client side. The Solaris server accepts a new connection anyway, but the Cisco PIX and ACE firewall in between rejects them. A more detailed explanation is available here : http://blog.davidvassallo.me/2010/07/13/time_wait-and-port-reuse/ The RFC6191 specifies that TCP timestamps defined in RFC 1323 can be used to shorten the TIME_WAIT period for a socket. To activate it under Solaris, run the following command on the machine initiating the TCP connections : sudo ndd -set /dev/tcp tcp_tstamp_always 1 The firewall must use this TCP field in its heuristics to make it work however. Otherwise, it is possible to disable port randomization on Solaris 11 by adding the following line in /etc/system and rebooting the system : set ip:tcp_random_anon_port=0 -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org